The general approach to performing an audit is:
- define dates, criteria (i.e., the security requirements that need to be evaluated), and audit scope (i.e., the application to be evaluated).
- develop checklists to help you not forget something during the audit (i.e., what needs to be verified to evaluate if the security requirements are being met).
- evaluate the application. At this point, the most common methods are: Inquiry personnel (e.g., users, developers, administrators, etc.); Observation of the application being used; Examination or Inspection of Evidence (e.g., records of previous processing, system logs, etc.); Re-performance (i.e., repeating previous processing to evaluate its results); and use of tools to perform Computer-Assisted Audit Techniques (CAAT).
- elaborate on the audit report which will include the non-compliances and other findings
Considering a cloud environment, you need to clarify the responsibilities for each asset, so you can properly identify who needs to be audited about which asset.
For example, in an IaaS cloud model, the cloud provider is responsible only for the physical structure, while in a PaaS model, the cloud provider is also responsible for the development environment used by application developers, and in a SaaS environment, the cloud provider is also responsible for the applications.
These articles will provide you a further explanation about preparing an audit: